Creator of the fake boarding pass generator appears to be in big trouble
Ever wonder if the security at airports is sufficient to stop a trained terrorist? Is the ban on liquids over 3 oz. really keeping us safe? Do I really need to take off my shoes to have them xrayed?
A friend of mine accidentally attempted to go through airport security in Seattle last weekend, with a knife. I don’t know all of the details, but if you normally carry a knife, I would be sure to double check everything before going through security. The TSA seems to be quite serious about these sorts of things.
Meanwhile, in a different city, my girlfriend and I were trying to fly back to Seattle. TSA was announcing every few minutes that “All liquids and gels must be less than 3oz in volume and all must be placed in a quart size ziplock bag. If you do not have a ziplock bag, they are for sale at the gift shop in Concourse 1.” Although I was curious as to how much a single ziplock bag from a gift shop would set me back, I did not have the desire to walk a half mile to the other concourse. Fortunately, I was able to get one from the ticket counter. What if I had 6-3oz. containers?
This really doesn’t make sense. But we are a nation living in fear, so it is not surprising. If a terrorist or anyone else for that matter really wanted to do harm, the TSA is not going to stop them. There are of course many people, like myself, who believe that airline security is more about perception than security.
One such person is Christopher Soghoian , a Ph.d. student who spends alot of his time traveling and thinking about airport security. One, funny at the time, idea that he came up with was the creation of a “fake boarding pass generator”. I discovered his tale on the Wired.com blog of 27B Stroke 6.
His theory appears to capitalize upon a weakness that Senator Charles Schumer of NY first spoke about in this February 2005 press release:
Schumer today laid out the following scenario in which someone on the terrorist watch list can get through airline security undetected:
1. Joe Terror (whose name is on the terrorist watch list) buys a ticket online in the name of Joe Thompson using a stolen credit card. Joe Thompson is not listed on the terrorist watch list.
2. Joe Terror then prints his “Joe Thompson” boarding pass at home, and then electronically alters it (either by scanning or altering the original image, depending on the airline system and the technology he uses at home) to create a second almost identical boarding pass under the name Joe Terror, his name.
3. Joe Terror then goes to the airport and goes through security with his real ID and the FAKE boarding pass. The name and face match his real drivers license. The airport employee matches the name and face to the real ID.
4. The TSA guard at the magnetometer checks to make sure that the boarding pass looks legitimate as Joe Terror goes through. He/she does not scan it into the system, so there is still no hint that the name on the fake boarding pass is not the same as the name on the reservation.
5. Joe Terror then goes through the gate into his plane using the real Joe Thompson boarding pass for the gate’s computer scanner. He is not asked for ID again to match the name on the scanner, so the fact that he does not have an ID with that name does not matter. [Since Joe Thompson doesn’t actually exist it does not coincide with a name on the terrorist watch list] Joe Terror boards the plane, no questions asked.
Chris figured that the best way to change the system would be to call attention to this weakness. He did this by creating a fake boarding pass generator. This generator would create an authentic looking Northwest Airline boarding pass in any name. A sample boarding pass is below. The Washington Post has a screen shot of the generator before the site was taken down and further discussion on their blog.
While I can see the humor in this and the fact that he most certainly did not intend to actually use this for illegal purposes, I doubt he had any idea who was outside when there was a knock a couple days ago…
As reported on BoingBoing, he was visited by the FBI who “had a few questions” for him.
After the interview he was quite shaken and decided to spend the night at an undisclosed location. This morning, upon returning home, he found his apartment totally ransacked with a search warrant on the table.
On Chris’ blog at slightparanoia.blogspot.com recounts the tale:
I came back today, to find the glass on the front door smashed.
Inside, is a rather ransacked home, a search warrant taped to my kitchen table, a total absence of computers - and various other important things. I have no idea what time they actually performed the search, but the warrant was approved at 2AM. I’m sincerely glad I wasn’t in bed when they raided the house. That would have been even more scary.
And he posted a copy of the warrant.
I wonder how this will all turn out. Will the government make an ‘example’ out of him? And even if they do attempt to make an example out of him, chances are his case would crumble like so many other cases before him.
What’s really scary is the self-censorship that results from these kinds of stories.